This tool analyzes a given Github repository and searches for dangling or force-pushed commits, containing potential secret or interesting information.
- Python3
- requests
git clone https://github.com/neodyme-labs/github-secrets.gitTo get a list of basic options and switches use:
python3 github_scanner.py -hYou can run this script either completely unauthenticated, with rather low Github API rate limits, or your export a generated API token.
The tokens need no privileges at all and are only used, for authentication against the API. A fine-grained personal access token is required for this project without any additional permissions.
To export the token use:
export GITHUB_ACCOUNT_TOKEN=<your_secret_api_token>To run the script and scan a repository:
python3 github_scanner.py <username>/<repository>To check your current API rate limits and usage with token:
curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer <your_secret_api_token>" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/rate_limitWithout token:
curl -L -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/rate_limitLicensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.